The US Department of Health and Human Services (HHS) has stated an “all-time file year” in healthcare breach enforcement interest, with businesses paying out more than $28 million in agreement expenses in 2018. Last yr, the HHS Office for Civil Rights (OCR) – the unit tasked with imposing the HIPAA healthcare privateness law – settled 10 instances and secured one judgment.
Together, those cases ended in US healthcare companies paying out $28.7 million, up at the $19 million stated in 2017 and surpassing the preceding document of $23.5 million in 2016. The file HIPAA-related settlement discerned in 2018 became pushed ordinarily by an excessive-profile facts protection incident related to Anthem, which resulted inside the, for my part, identifiable data of almost 79 million patients being exposed.
In October, the USA medical insurance issuer agreed to pay a whopping $sixteen million and introduce a “large corrective motion” following a sequence of cyber-assaults that caused the most important US health facts to breach in records. Other seven-figure OCR settlements in 2018 related to statistics safety incidents at Fresenius Medical Care ($three.5 million) and Cottage Health ($3 million).
The sole judgment concerned the University of Texas MD Anderson Cancer Center, which changed into ordered to pay $four.3 million following 3 separate facts breaches in 2012 and 2013. These incidents involved the robbery of an unencrypted pc and the loss of two unencrypted USB thumb drives containing the clean-textual content healthcare data of greater than 33,500 people.
“OCR’s investigation observed that MD Anderson had written encryption rules going lower back to 2006 and that MD Anderson’s personal chance analyses had located that the shortage of device-stage encryption posed a high danger to the safety of ePHI [electronically protected healthcare information],” the OCR said in its annual review.
“Despite the encryption regulations and high threat findings, MD Anderson did now not start to adopt an organization-wide approach to encrypt ePHI until 2011, or even then it didn’t encrypt its stock of digital devices containing ePHI between March 24, 2011, and January 25, 2013.”
This particular judgment is below attraction with the HHS Departmental Appeals Board.
As required by the United States HITECH Act, all breaches of unsecured fitness facts affecting 500 individuals or more should be publicly disclosed in the US. This year, Managed Health Services (MHS) of Indiana had the doubtful honor of being the primary healthcare organization to be indexed at the so-referred to as ‘HIPPA Wall of Shame’ in 2019. As formerly suggested by using The Daily Swig, the covered healthcare information of greater than 30,000 MHS sufferers may additionally have been compromised following a phishing attack towards partner enterprise, LCP Transportation.